Filewave
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may run local code and prompt for credentials earlier than expected.
The documentation describes automatic post-install Python execution, while the supplied registry/install summary says there is no install spec. Because this hook collects server and API token details, the install behavior is materially under-declared.
"The Key Point: Onboarding Runs AUTOMATICALLY During Installation" ... "onInstall": "python3 lib/onboarding.py"
Do not install on a production admin machine until the actual manifest/install hook is reviewed; installation behavior should be declared consistently in registry metadata.
A token used with this skill may allow broad access to managed-device inventory and device metadata changes, including production environments.
The skill requires a bearer API token that can query and mutate FileWave UEM device records and refresh the model, but the registry metadata declares no primary credential or environment-variable contract.
"FileWave API token" ... "Authorization: Bearer <token>" ... "PATCH /filewave/api/devices/v1/devices/{id}" ... "POST /filewave/api/fwserver/update_model"Use a least-privilege FileWave token, separate lab and production profiles, and ensure the skill metadata clearly declares required credentials and write permissions.
A bad CSV or wrong profile could rename or reassign many devices before the mistake is noticed.
The documented bulk workflow can apply CSV-driven changes across many managed devices and then refresh the FileWave model so changes propagate.
"PATCH device name" ... "PATCH enrollment user" ... "After all devices are updated, FileWave's internal model is refreshed"
Test with a small lab batch first, avoid --confirm for production runs, keep backups/exports of current device metadata, and verify the selected profile before running bulk updates.
Sensitive device inventory metadata may remain on the local machine for up to seven days.
The skill persistently caches device identifiers and group mappings for performance, including potentially the entire fleet.
"7-Day TTL Cache: Stores `Device ID`, `Serial Number`, `Device UID`, and `Group` mappings" ... "warm-cache command ... index the entire fleet"
Use the cache only on trusted admin machines, avoid warming the cache unnecessarily, and clear local cache data when no longer needed.